Building an effective cybersecurity team is no mean feat. Hiring managers struggle to find experienced talent today and according to the most recent figures from ISACA, one in three organizations say it takes six months or longer to fill any given security position.
At the same time, though, there's a lot of hand-waving and lipservice in the industry when it comes to recruiting and retaining talent. Many organizations use the constraint in security skills resources as an excuse to never truly ramp up a well-organized cybersecurity human resources program. And that's unfortunate, because even though it is difficult, it's not an impossible task to build out a quality security team. Plenty of organizations do it and they do it well. We recently asked some industry insiders for tips on how to get the job done. Here's what they said.
Get NICE About Gaps
Just like an organization starts a risk mitigation plan by doing a solid risk assessment that measures where they need work, they should also be systematically assessing their security skills gaps before they start anything. There's no need to reinvent the wheel here. NIST has developed a framework called NICE that can help walk organizations through the process of figuring out their needs based on current security strategies, where their core competencies lie and which skills they need to actively seek out through recruiting or training.
"You need to determine what competencies will be necessary to feed into organizational strategy. that can help. Once you determine the needed competencies, you need to assess your maturity within those competencies. This can be done subjectively (through) surveys with stakeholders, peer reviews, et cetera or objectively (through) number of incidents, scores on learning tests and so on," says Altaz Valani, research director for Security Compass. "This will drop you into gap analysis where you know what you need to focus on. That leads into a roadmap for taking your current team and security augmentation partners to a desired future state."
Outsource Immediate Needs
Speaking of security augmentation parners, not every gap within your organization's competencies has to be filled in through hiring. Sometimes the most immediate needs can best be filled by turning to managed service providers, consultants and specialty security services.
"Immediate or urgent skills gaps could be filled by consultants while the company works towards ramping up their cybersecurity workforce," explains Sanjay Deo, president of consulting firm 24By7Security. "For instance, if a company does not have a full-time CISO, they could hire a part-time CISO through a consulting firm and then evaluate their needs for a full-time CISO and other security staff."
Look For Hidden Internal Gems
As security teams turn their sights toward recruiting new headcount and filling in skills they don't currently have on tap, one of the most valuable methods they can use is internal recruiting. Creatively training IT personnel from other departments has significant upside.
"Pull professionals who know your culture and know your data from tertiary departments and reinvest in them rather than relying exclusively on external hires," explains Jared Coseglia, CEO of TRU Staffing Partners, a recruiting firm that focuses on cybersecurity. "For example, many corporations and consulting firms are transitioning tech savvy e-discovery or forensic investigation professionals into cyber-centric roles. These individuals often have the technical, business savvy, customer service, and/or project management skills needed to step in and provide leadership once trained on specific areas of cybersecurity. "
Partner With Universities
When looking for new blood, some of the most valuable relationships a team leader can establish are those with relevant universities. Setting up co-op and internship programs, helping to sponsor cybersecurity competitions and making a presence within other related activities at the university level will often give an organization an edge when it comes to recruiting the best and the brightest.
"For the most valuable partnerships, target universities that have credentialed security programs, sponsor faculty-led research projects and sponsor student activities such as hackathons or competitions," says Bo Yuan, professor and chair of the Department of Computing Security at Golisano College of Computing and Information Sciences
at the Rochester Institute of Technology (RIT).
Recruiting is Nice, But Retention is Better
Even if your recuriting mojo is top notch, it won't matter for much if you can't keep those smart minds from looking for greener pastures. Retention strategies should be a high priority to maintain team cohesion.
This means paying them well (we'll dig further into that in a minute) but also giving them a reason to stay.
"Build continuous advancement opportunities into your development programs, putting individuals in charge of their own destiny within the organization," says Brian Murphy, CEO of ReliaQuest, a managed security service provider that has a 94% retention rate. "Show people the path and they won’t need to leave to advance"
Keep Existing Staff Current
Cybersecurity skills and defense techniques are a constantly moving target. The skills you recruited in a new hire last year are positively ancient today. Training staff is absolutely essential to keeping up with the latest threats, the newest technology and the most pressing emerging risks.
"Companies that don’t provide the space and the time for their security staff to keep their skills sharp are setting themselves up to fail," says Ryan Barrett, vice president of security and privacy for cloud service provider Intermedia. "Companies with successful security teams give them the time to conduct internal evaluations and regularly send them to security conferences for fresh perspectives and hands-on training."
Pay Them Enough
Supply and demand dictates that if a particular resource is constrained then you've got to pay more for it if you want to get your hands on that resource. Many times the reason why security teams can't fill positions is because they're unrealistic about how much it'll cost to find a particular skill set. Similarly, they can't hold onto quality talent because they're not willing to increase salaries commensurate with the rate at which a security person is honing their very valuable skillset.
"Creating growth and development paths that include compensation opportunities can go a long way toward keeping talent. That’s particularly true of cybersecurity, where one of the biggest needs is for people with diverse experiences – developing policy and hunting for bad guys, developing strategy and implementing technology, building out processes and communicating results and risks to business executives," explains Todd Inskeep, an RSA Conference advisory board member and principal at Booz Allen Hamilton. "Compensation models that are tied only to “level” in a traditional organizational sense aren’t going to keep talent in your organization."